ELA-772-1 sudo security update

privilege escalation

Version1.8.10p3-1+deb8u9 (jessie), 1.8.19p1-2.1+deb9u5 (stretch)
Related CVEs CVE-2023-22809

Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, a program designed to provide limited super user privileges to specific users, does not properly handle ‘–’ to separate the editor and arguments from files to edit. A local user permitted to edit certain files can take advantage of this flaw to edit a file not permitted by the security policy, resulting in privilege escalation.

For Debian 8 jessie, these problems have been fixed in version 1.8.10p3-1+deb8u9.

For Debian 9 stretch, these problems have been fixed in version 1.8.19p1-2.1+deb9u5.

We recommend that you upgrade your sudo packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.